Monthly Archives: April 2014

Only a few days ago it was discovered that one of the most popular paid apps on Google Play was actually fake, yet it was able to pull in an estimated $40,000 from users who thought it was working. Virus Shield, an app that claimed to protect devices against viruses, actually did nothing of the sort.

Malicious and fake Android apps have consistently been in the news recently, and in order to combat that, Google is expanding its Verify Apps service. Verify Apps, which has been around since 2012, will now periodically scan already installed applications and will also monitor programs that are from third-party marketplaces. While this may not address the issue of bogus apps, it will help to protect against actual viruses.

Users have allowed Verify Apps to monitor 4 billion app installations since 2012, Google says, and even though malicious apps are not common, the service has protected devices. Rather than taking the control away from a user, Verify Apps simply informs someone that an app may be dangerous, which Google says is an effective way to curb malicious installations.

Third-Party Marketplaces

When comparing iOS and Android it is easy to see that Google’s mobile operating system is more open, but is also more susceptible to attacks. Apple has always taken a “walled garden” approach to its app store by scanning every new app before it is introduced, as well as each update that is applied to it. By vigorously monitoring apps and preventing installs from other marketplaces (unless a phone is “jailbroken”), iOS is generally safer.

Things are beginning to change however, now that Google is confronting the issue of malicious apps with its scanning services. Android may account for the majority of app-related viruses, but according to some reports, only 0.1 percent of the infected apps are found in the Google Play Store.

The new Verify Apps service will continuously check programs no matter where they are from, ensuring that Android devices are more protected. Google says that even though more people will encounter the app warnings, they will still be rare.

“Because potentially harmful applications are very rare, most people will never see a warning,” wrote Google. “The good news is that very few people have ever encountered this; in fact, we’ve found that fewer than 0.18 percent of installs in the last year occurred after someone received a warning that the app was potentially harmful.”

Fake Apps

Only a few days ago it was discovered that one of the most popular paid apps on Google Play was actually fake, yet it was able to pull in an estimated $40,000 from users who thought it was working. Virus Shield, an app that claimed to protect devices against viruses, actually did nothing of the sort. Although its creators are now claiming that a developer accidentally published the app before it was finished, Virus Shield highlights the fact that users receive insufficient protection against bogus apps on the Play Store.

We asked Charles King, principal analyst at Pund-IT, for his view on the Virus Shield issue and how Google should go about monitoring its app store in the future. He told us that Apple’s more-thorough approach would make sense.

“Apple’s process of scanning/verifying apps seems like a reasonable approach, but since the company also charges developers substantially more than Google it also has more cash to throw at the problem,” King said. “App store owners may decide that weathering the occasional embarrassing incident makes better business sense than scanning tens of thousands of apps that will, in the end, drive very little in the way of sales or profits.”

Via: enterprise-security-today

Note: The post below was immensely popular on our social networks today–clearly, this story hit a nerve with email-weary workers across America and the world. We wish to clarify some information in The Guardian report. French unions did not ban French employees from sending emails after precisely 6 p.m.–the agreement meant to protect some workers from too much after-hours work intrusion (and consequently, burnout) does not stipulate 6 p.m. as a hard stopping time for work-related emails. In addition, the agreement won’t affect as many people asThe Guardian report suggested–about 200,000-250,000 workers will be affected by the rule, according to French media.

There are many ways to distance yourself from the crushing tidal wave that is your work inbox. You can, for instance, impose an email sabbatical, which is supposed to be good for your mental health. Or you can plow through all of your emails in one go with the savvy use of search filters.

Now, there’s a new lifehack for dealing with email 24/7, and it might just be our favorite yet: Move to France. The Guardian
reports that the country’s workers unions just imposed a ban that forbids employees from attending to “work-related material on their computers or smartphones” after they clock out for the day:

Now employers’ federations and unions have signed a new, legally binding labour agreement that will require staff to switch off their phones after 6pm. Under the deal, which affects a million employees in the technology and consultancy sectors (including the French arms of Google, Facebook, Deloitte and PwC), employees will also have to resist the temptation to look at work-related material on their computers or smartphones –or any other kind of malevolent intrusion into the time they have been nationally mandated to spend on whatever the French call la dolce vita.

Emphasis added. So, in addition to 35-hour work weeks, it is now frowned upon for the French workforce to tend to business once it’s time to eat dinner. Germany’s labor ministry has similar after-hour measures in place. Though it’s unclear exactly how that will be enforced, it’s a nice perk to have in any case. C’est la vie.

Via: fastcompany

A 17-year-old scam artist allegedly ripped off 10,000 people who purchased a fake anti-virus app.

His app made it to number one on the Google Play Store Top New Paid Android Apps page, before it was taken down last Sunday, 6 April 2014.

The Virus Shield app cost $3.99 and claimed to be a scanner that protected Android devices from viruses, while promising to never annoy users with pop-up ads found on many free apps.

Sounds like a good reason to pay four dollars for an app, right?

Well, a blogger for the website Android Police bought the app from the Play Store and discovered that Virus Shield had no anti-virus functionality whatsoever, and didn’t do anything like it claimed.

The app was uploaded to Play Store on 28 March 2014 and in one week Virus Shield amassed more than 10,000 downloads and 1,600 recommendations, surging to the top of Google Play’s new apps, according to media reports.

But almost immediately after Android Police posted a story exposing the app on 6 April 2014, the fake anti-virus app was taken down from the Play Store without explanation, and the developer’s account was suspended.

SophosLabs added malware detection for Virus Shield as Andr/Vshield-A, so people using our Sophos Mobile Security app for Android and Sophos business products are protected.

SophosLabs threat researcher Vanja Svajcer analyzed Virus Shield and showed us how the app deceived users into thinking they were getting anti-virus protection.

The app allows the user to toggle the shield icon, which shows an “X” that changes to a check-mark in the main activity area.

When launched, the app displays a fake scanning progress in the notification bar, just so it looks as though the app is doing something.

According to a report on DailyTech, this brazen scam was pulled off by a 17-year-old from Texas whose real name is Jesse Carter, but who had been scamming under screen names such as Deviant.

Virus Shield’s developer account on Google Play was listed as “Deviant Solutions.”

Unfortunately for the victims of the fraud, Google’s Play Store refund policy only covers the first 15 minutes after you download the app – after that, Google tells you to contact the developer directly to ask for your money back.

I think this would be a good case for Google to have some sympathy for the people who got scammed – and refund the victims their money.

Play Store policing and policies

Google removes fraudulent apps from the Play Store from time to time, for example a fake version of the popular game Plants vs. Zombies that served up adware, and unofficial versions of apps by Apple and BlackBerry that climbed the charts for weeks before Google took them down.

Virus Shield’s quick-and-dirty success shows that fake anti-virus, which has for years been a successful revenue source for cyber criminals targeting Windows users, is going to be a menace for Android users as well.

Fake anti-virus apps have appeared in unregulated alternative Android markets before, and Google has struggled to keep bad apps out of the Play Store.

Researchers recently discovered two popular apps on Google Play that were secretly compomising Androids to mine for cryptocurrencies like Bitcoin, Litecoin and Dogecoin.

And a Google Glass app that contained hidden spyware was uploaded by two undergrad researchers to Google Play before Google discovered it.

Google’s defense against malicious apps is a program called Bouncer, which has done a fairly decent job of blocking the fraudulent or otherwise malicious apps that have become rampant in non-Google app markets.

As the variety and number of malicious apps continues to grow, Google has to keep up.

On 28 March 2014, Google announced updates to its app developer policies for the Play Store that introduce new rules against misleading advertising and app descriptions, which will hopefully cut down on the amount of adware.

That’s a good thing, although it will be tricky to regulate ad affiliate networks – app vendors can point the finger at their advertising partners.

Play Store is never going to be perfect – so it seems like Android users need to be a little more proactive when researching apps and look closely at the reputation of developers.

Via: nakedsecurity

Yahoo has offered a public status update for their various encryption projects, including announcing an encrypted version of Yahoo Messenger.

Yahoo has offered a public status update for their various encryption projects, including an announcement that a new, encrypted, version of Yahoo Messenger will be released in the coming months.

On Wednesday, Alex Stamos, Yahoo’s CISO, posted a blog on the status of the company’s encryption projects. Yahoo initiated the project due to a number of public concerns over security and privacy, including revelations that the National Security Agency (NSA) had been monitoring user traffic as part of a massive surveillance program.

As of March 31, Stamos said that all traffic moving between Yahoo data centers was now fully encrypted. Google is doing something similar, and in both cases the technological giants seem to be taking this action in an effort to top the NSA from intercepting traffic without proper court permissions.

Earlier this summer, leaked documents from the NSA outlined a program called MUSCULAR, which focused on capturing the traffic that moved between the various data centers owned by Google and Yahoo. Based on the leaked documents, MUSCULAR enabled the NSA to capture data that might’ve been missed under the PRISM program or court orders.

However, Google and Yahoo are not the only targets. Facebook and Microsoft are referenced in the leaked documents too, but Yahoo seems to be the first to complete the data center encryption project. Google has been working for some time now to encrypt the data that moves between their data centers, but based on the company’s public statements, that project is ongoing.

Other progress noted by Stamos includes the move to secure Yahoo Mail, including enabling mail encryption between their servers and other providers that support SMTPTLS. The Yahoo homepage, and other Yahoo portals now support HTTPS, but not by default, as users will need to alter the URL to include https:// if they wish to use it.

Yahoo has implemented TLS 1.2, Perfect Forward Secrecy (PFS), and 2048-bit RSA for their homepage, email, and digital magazine services, but the process to move all Yahoo-branded properties up to these levels remains ongoing.

Finally, Stamos said that a new version of Yahoo Messenger, one that supports encryption, will be deployed in the coming months.

“Our goal is to encrypt our entire platform for all users at all time, by default,” Stamos wrote.

“This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.”

Via: csoonline

A new OpenSSL vulnerability has shown up and some companies are annoyed that the bug was revealed before patches could be delivered for it.

New security holes are always showing up. The latest one, the so-called Heartbleed Bug in the OpenSSL cryptographic library, is an especially bad one.

While Heartbleed only effects OpenSSL’s 1.0.1 and the 1.0.2-beta release, 1.01 is already broadly deployed. Since Secure-Socket Layer (SSL) and Transport Layer Security (TLS) are at the heart of Internet security, this security hole is serious.

The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.

This bug not a problem with OpenSSL’s inherent design. It’s an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.

That’s bad enough. but what really has some operating system and security companies ticked is that OpenSSL and others were hard at work at delivering the patched versions that would have limited the problem’s possible use by blackhat hackers, CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they’ve fixed the bug. They appear to have used the methods described by OpenSSL. Unfortunately, for everyone else, these methods were not ready for broad deployment.

According to one senior security developer at a major operating system company, “The main problem with what CloudFlare did was that they jumped the gun before the FIRST AVAILABLE patches were available to users. You don’t open the door and wave a red flag before the patches are ready to go.”

At this time, I am informed by sources that Red Hat, Debian, SuSE, Canonical, and Oracle, to name a few, are working at a feverish pace to get the patched versions of OpenSSL out to their clients. It’s expected that it may take approximately 12-hours to deliver the patches. When do they become available anyone using OpenSSL 1.01 or 1.02 must deploy the patched version as fast as possible.

Via: zdnet

Online storage space isn’t just like your hard drive.

Recently, there was a big hullaballoo about the possibility of Dropbox snooping on users’ files, after Dropbox user Darrell Whitelaw saw a DCMA notice on one of his folders. Since then, Dropbox has clarified the limited way it scans our stuff, but it still raises an important point: Our Dropbox, Google Drive, OneDrive, and other online storage folders are not really “ours” (even if you pay for the space).

Like Whitelaw, who said in a tweet “I treat [Dropbox] like my hard drive, many of us think of our online storage space like we do hard drives. After all, they function the same and are as easy to access as our local drives.

We don’t really control these folders, though, and even with lots of privacy and security assurances, cloud services will always be riskier than drives you completely own and control.

I don’t think we have to ditch all our online services–they definitely come with worthy conveniences. However, this quote from security expert Graham Cluley (quoted on Sophos) puts it into great perspective:

On this I can give you no more sound advice than that of former Naked Security writer Graham Cluley: for a better understanding of how you should approach security in The Cloud simply replace all instances of the words in The Cloud with the words on somebody else’s computer.

The only way to completely keep other people out of your business when it’s on-the-wire or in The Cloud on somebody else’s computer is to encrypt your files before they leave your system, using keys that you control.

Cluley’s thoughts
on the Dropbox privacy situation are worth a read, especially if you store sensitive information to the cloud–I mean, someone else’s computer.

Via: itworld

Free is good, and so are these five alternatives to Office on the iPad

Don’t like the idea of paying for Office for the iPad? There’s no need to. Instead, use these great free suites you can get today.

HopTo

This suite does more than just let you read and create Word documents and edit Excel files on your iPad. It’s also been built to work with multiple cloud-based storage services, including Google Drive, ConnectBox, Dropbox, and OneDrive. You’ll also be able to access files on your PC. There’s more as well, including a great search that finds files through multiple cloud storage providers. For anyone who uses the cloud with iPad, this is a must-have.

Quickoffice

This free suite from Google lets you create, open, and edit Word, Excel, and PowerPoint files, as well as open and view PDFs. It’s available for Android devices and well as the iPad and iPhone. Naturally, it works with your Google Drive account as well.

Kingsoft Office

Kingston Office has a word processor, presentation software, and a spreadsheet. It lets you create, open and work with Microsoft Office documents. There’s also a free version available for Android.

Google Docs

There’s no actual Google Docs app for the iPad. Instead, you get to it via the Web. But it still works, and it has the benefit of working with every other device you own as well. Because it’s Web-based, you can even use it on someone else’s device.

CloudOn

Here’s another suite built from the ground up for working in the cloud. You’ll be able to create, edit, read and share documents, presentations, and spreadsheets on multiple cloud services, including Dropbox, Box, Google Drive, Hightail, and OneDrive. It’s also great for collaboration, letting you share files, and annotate them for others to see as well.

Via: itworld

In all the excitement over the End of Windows XP and next Tuesday’s Ultimate Update…

…we sort of forgot to write about Apple.

In fact, the “other operating system vendor” put out a mid-week update to its Safari browser, including new features and a lot of security fixes.

Two of the security patches stand out especially:

CVE-2014-1300: Ian Beer of Google Project Zero working with HP’s Zero Day Initiative

CVE-2014-1303: KeenTeam working with HP’s Zero Day Initiative

Those are the Safari flaws revealed just under a month ago on Day One and on Day Two at the PWN2OWN 2014 competition in Vancouver, Canada.

The hole found by Google’s security team, CVE-2014-1300, was particularly pernicious.

The Googlers were not only able to escape from Safari and get control, a so-called remote code execution exploit or RCE, but also to:

• Run a secondary program of their choice. (Naturally, they chose Calculator.)
  
• Run their payload as root.
  
• Achieve what’s called process continuation, where Safari kept on going after the attack, rather than giving things away by crashing.
  

So, well done to Apple for getting those PWN2OWN holes closed within a month.

All in all, this update fixes 27 CVEs, of which 26 involve potential RCE, so each of these could have made a drive-by malware attack possible.

Remember that drive-bys are when simply looking at a web site, without clicking any download buttons or answering any “do you want to run this program downloaded from the internet” questions, is enough to get you infected with malware.

The 27th fix is for a sandbox escape, where a process inside the browser could trick the operating system into letting it access files it shouldn’t.

Get the update as soon as you can, if you’re not set up to grab Mac patches automatically: Apple Menu | Software Update…

Was Apple fast enough?

Last time we wrote about OS X updates, we suggested that Apple would do well to adopt an update cycle that was both regular and frequent – just like Patch Tuesday.

Some commenters took exception to the idea.

One objection was that a monthly update cycle for Apple would inevitably and confusingly lead to months without updates, because Apple simply doesn’t have that many holes to fix over the course of a year.

But this update belies that claim, fixing as it does four CVEs from 2013, three of which date back to April 2013.

We also ended up last time with a hearty debate about whether OS X 10.6, nicknamed Snow Leopard, was still supported by Apple.

With no explicit word from Cupertino, we’ll have to use inference, and assume that continued absence of evidence for 10.6 support is evidence of its absence.

This update is for OS X 10.7, 10.8 and 10.9, bumping Safari 6 to 6.1.3 and Safari 7 to 7.0.3.

As fellow writer John Zorabedian said last time, “Poor Snow Leopard (OS X 10.6) is left out in the cold.”

Via: nakedsecurity

Microsoft hopes you won’t exploit this loophole, but is leaving it open (for now).

Microsoft announced (finally) Office for iPad last week, to much fanfare, but there was one big gotcha: To get full editing capabilities (instead of just view-only access), you needed to have an Office 365 subscription, which starts at $100 a year for consumers. Well, there’s a way around that.

All you need is to have someone who does have an Office 365 subscription sign into your Office app on the iPad once and then you’ll have full access in all the apps going forward.

This goes against Microsoft’s licensing agreement, which grants 365 subscribers rights to install Office on five computers as well as five tablets, but there’s no hard limitation to keep users from adding more than that.

Microsoft tells CNN, which first reported this loophole: “Similar to our commercial use rights, we do not strictly enforce the limit on tablet installations, but trust that our users respect and understand the device limits outlined in the EULA [end user rights agreement].” The company could enforce stricter licensing checks in the future, but for now there’s nothing stopping family members from activating the full Office apps on iPad for others in their household or friends.

Via: itworld

I thought I was a pretty clever kid when I was 5. Other kids ate boogers; I didn’t. Do you know how many gold stars I had? All the gold stars.

One thing I didn’t have, though: an acknowledgement from Microsoft for finding a security vulnerability. This kid does.

In a story that is surely making someone’s day pretty crappy over at Microsoft HQ, a 5-year old kid reportedly figured out how to bypass the account restrictions meant to keep him off of his Dad’s Xbox One.

The trick? When asked for a password, he pounded the space bar a bunch of times, then hit enter. For some crazy reason, this… worked. Repeatedly.

Late April fool’s joke? Doesn’t seem like it. Word of Kristoffer’s 1337-ness comes from ABC10 news down in LA, who notes that Microsoft took the bug seriously enough to give Kristoffer a security researcher credit after the bug was patched.

Sure enough, a quick glance at Microsoft’s security acknowledgements for March lists one Kristoffer Wilhelm von Hassel. He’s one of few individuals on the page whose name doesn’t link to a Twitter account, since he’s… you know, too young to have a Twitter account.

Sure, it’s not like the kid found some buffer overflow that let him execute remote code and turn the Xbox into a toaster or whatever. But he tried something, and it worked, and he knew he’d done something he wasn’t supposed to — enough so to admit he felt a bit nervous about the whole thing. This kid is awesome.

Remember to put this one on the ol’ college application when the time comes, Kristoffer. Pretty sure “Acknowledged by Microsoft as a security researcher at the age of 5″ would open a door or ten.

Via: techcrunch, ABC10News